Encryption at Rest

When you store sensitive data in your ArangoDB database, you want to protect
that data under all circumstances. At runtime you will protect it with SSL
transport encryption and strong authentication, but when the data is already
on disk, you also need protection. That is where the Encryption feature comes
in.

The Encryption feature of ArangoDB will encrypt all data that ArangoDB is
storing in your database before it is written to disk.

The data is encrypted with AES-256-CTR, which is a strong encryption algorithm,
that is very suitable for multi-processor environments. This means that your
data is safe, but your database is still fast, even under load.

Most modern CPU’s have builtin support for hardware AES encryption, which makes
it even faster.

The encryption feature is supported by all ArangoDB deployment modes.

Limitations

The encryption feature has the following limitations:

Encrypting a single collection is not supported: all the databases are
encrypted.

It is not possible to enable encryption at runtime: if you have existing
data you will need to take a backup first, then enable encryption and
start your server on an empty data-directory, and finally restore your
backup.

The Encryption feature requires the RocksDB storage engine.

Encryption keys

The encryption feature of ArangoDB requires a single 32-byte key per server.
It is recommended to use a different key for each server (when operating in a
cluster configuration).

Make sure to protect the encryption keys! That means:

Do not write them to persistent disks or your server(s), always store them on
an in-memory (tmpfs) filesystem.

Transport your keys safely to your server(s). There are various tools for
managing secrets like this (e.g.
vaultproject.io).

Store a copy of your key offline in a safe place. If you lose your key, there
is NO way to get your data back.

Configuration

To activate encryption of your database, you need to supply an encryption key
to the server.

Make sure to pass this option the very first time you start your database.
You cannot encrypt a database that already exists.

Note: You also have to activate the RocksDB storage engine.

Encryption key stored in file

The file /mytmpfs/mySecretKey must contain the encryption key. This
file must be secured, so that only arangod can access it. You should
also ensure that in case someone steals the hardware, he will not be
able to read the file. For example, by encrypting /mytmpfs or
creating an in-memory file-system under /mytmpfs.